FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Product knowledge resource
- Documentation
- Videos
New Features in 8.0.x releases
- FortiAI Integration (8.0.0)
- WAF features
- Server Policy
  - Replacement Message Support at HTTP Content Routing Policy Level (8.0.0)
  - Support for Lua Scripting with HTTP/3 (8.0.0)
- Application Delivery
- System
- Log, FortiView, and Debug
- High Availability
  - Manual HA Failover Trigger Support (8.0.0)
- Documentation enhancement
Key concepts
- Key Components of FortiWeb
- Sequence of scans
- FortiWeb's role and placement in network topology
- Operation modes
- High Availability (HA)
- Solutions for specific web attacks
- IPv6 support
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Workflow
- Appliance vs. VMware
- Registering your FortiWeb
- Supported features in each operation mode
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
FortiAI
- Enabling Administrator Access to FortiAI
- Using FortiAI
- FortiAI Tokens
- FortiAI Data Privacy
- FortiAI Example Tasks
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Known Attacks
- Advanced protection
- Client Side Security
- Data Loss Prevention
- Input validation
- Protocol constraints
- Access control
  - Restricting access based on specific URLs
  - Specifying allowed HTTP methods
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Web Anti-Defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 8.0.0 Administration Guide

8.0.0

OWASP Top 10 use case videos

Each video begins with an OWASP Top 10 user scenario explaining the type of attack or security challenge being addressed, and then shows how to configure FortiWeb features in the UI or CLI, with real-time walkthroughs.

FortiWeb: Broken Access Control - Preventing unauthorized users accessing admin path

Security risks involved: Session cookie manipulation, direct URL access (force browsing), and unauthorized actions when accessing an application.

FortiWeb's features: URL Access, User Tracking, Custom Policy, and Cookie Security.

Documents: Preventing unauthorized users accessing admin path
FortiWeb: Broken Access Control - Mitigating JWT manipulation and privilege escalation

Security risks involved: JWT Interception, Token Manipulation.

FortiWeb's features: API Gateway.

Documents: Mitigating JWT manipulation and elevation of privileges
FortiWeb: Implementing CORS for secure cross-domain API requests

Security risks involved: Cross-Origin Resource Sharing (CORS)

FortiWeb's features: CORS Protection.

Documents: Implementing CORS for secure cross-domain API requests

FortiWeb: Implementing HTTPS to protect sensitive data in transmission

Security risks involved: Failure to encrypt sensitive data transmitted over networks

FortiWeb's features: SSL Proxy, Server Certificate.

Documents: Implementing HTTPS to protect sensitive data in transmission

FortiWeb: Validating Client Certificates with mTLS Support

Security risks involved: Failing to validate SSL/TLS certificates properly, allowing man-in-the-middle attacks.

FortiWeb's features: SSL Proxy, Client Certificate.

Documents: Validating the client's certificate to secure sensitive transactions

FortiWeb: Preventing the use of weak cryptographic algorithms

Security risks involved: Implementing cryptographic algorithms that are known to be vulnerable.

FortiWeb's features: SSL cipher groups.

Documents: Preventing the use of weak cryptographic algorithms

FortiWeb: Implementing DLP to protect PII

Security risks involved: Improper exposure of PII, leading to identity theft, financial fraud, and significant privacy breaches.

FortiWeb's features: Data Loss Prevention.

Documents: Implementing Data Loss Prevention (DLP) to prevent personally identifiable information exposure

FortiWeb: Protecting against Man in the Browser (MitB) Attacks

Security risks involved: Transmit sensitive user input such as password and credit card number without encryption.

FortiWeb's features: Man in the Browser Protection.

Documents: Applying an extra layer of encryption on sensitive user inputs

FortiWeb: Preventing Padding Oracle Attacks

Security risks involved: Block cipher encryption modes such as CBC might be exploited by cipher padding attacks, leading to session IDs or cookies hijacked.

FortiWeb's features: Padding Oracle Protection.

Documents: Preventing Padding Oracle Attacks

FortiWeb: Mitigating Injection attacks - A focused case study on Reflected XSS

Security risks involved: Reflected XSS Injection

FortiWeb's features: Signatures, SQL/XSS Syntax Based Detection, Machine Learning based Anomaly Detection

Documents: Mitigating Injection attacks: A focused case study on Reflected XSS

FortiWeb: Validating uploaded files to prevent potential injections

Security risks involved: Remote File Inclusion (RFI), Local File Inclusion (LFI), Malware Distribution.

FortiWeb's features: File Security, FortiSandbox, Web Shell detection.

Documents: Validating uploaded files to prevent potential injections

FortiWeb: Implementing HTTP security headers to prevent potential injections

Security risks involved: Clickjacking, MIME content-sniffing, Cross-Site Scripting (XSS)

FortiWeb's features: HTTP Header Security

Documents: Implementing HTTP security headers to prevent potential injections

FortiWeb: Validating HTTP headers to prevent potential injections

Security risks involved: Host Header Injection, HTTP Response Splitting:

FortiWeb's features: HTTP Protocol Constraints

Documents: Validating HTTP headers to prevent potential injections

FortiWeb: Validating user input to prevent potential injections

Security risks involved: User input manipulation

FortiWeb's features: Input Validation, Signature based SQL/XSS Injection Detection, SQL/XSS Syntax-based detection, Machine Learning based Anomaly Detection

Documents: Validating user input to prevent potential injections

OWASP Top 10 use case videos

FortiWeb: Broken Access Control - Preventing unauthorized users accessing admin path

Security risks involved: Session cookie manipulation, direct URL access (force browsing), and unauthorized actions when accessing an application.

FortiWeb's features: URL Access, User Tracking, Custom Policy, and Cookie Security.

Documents: Preventing unauthorized users accessing admin path
FortiWeb: Broken Access Control - Mitigating JWT manipulation and privilege escalation

Security risks involved: JWT Interception, Token Manipulation.

FortiWeb's features: API Gateway.

Documents: Mitigating JWT manipulation and elevation of privileges
FortiWeb: Implementing CORS for secure cross-domain API requests

Security risks involved: Cross-Origin Resource Sharing (CORS)

FortiWeb's features: CORS Protection.

Documents: Implementing CORS for secure cross-domain API requests

FortiWeb: Implementing HTTPS to protect sensitive data in transmission

Security risks involved: Failure to encrypt sensitive data transmitted over networks

FortiWeb's features: SSL Proxy, Server Certificate.

Documents: Implementing HTTPS to protect sensitive data in transmission

FortiWeb: Validating Client Certificates with mTLS Support

Security risks involved: Failing to validate SSL/TLS certificates properly, allowing man-in-the-middle attacks.

FortiWeb's features: SSL Proxy, Client Certificate.

Documents: Validating the client's certificate to secure sensitive transactions

FortiWeb: Preventing the use of weak cryptographic algorithms

Security risks involved: Implementing cryptographic algorithms that are known to be vulnerable.

FortiWeb's features: SSL cipher groups.

Documents: Preventing the use of weak cryptographic algorithms

FortiWeb: Implementing DLP to protect PII

Security risks involved: Improper exposure of PII, leading to identity theft, financial fraud, and significant privacy breaches.

FortiWeb's features: Data Loss Prevention.

Documents: Implementing Data Loss Prevention (DLP) to prevent personally identifiable information exposure

FortiWeb: Protecting against Man in the Browser (MitB) Attacks

Security risks involved: Transmit sensitive user input such as password and credit card number without encryption.

FortiWeb's features: Man in the Browser Protection.

Documents: Applying an extra layer of encryption on sensitive user inputs

FortiWeb: Preventing Padding Oracle Attacks

Security risks involved: Block cipher encryption modes such as CBC might be exploited by cipher padding attacks, leading to session IDs or cookies hijacked.

FortiWeb's features: Padding Oracle Protection.

Documents: Preventing Padding Oracle Attacks

FortiWeb: Mitigating Injection attacks - A focused case study on Reflected XSS

Security risks involved: Reflected XSS Injection

FortiWeb's features: Signatures, SQL/XSS Syntax Based Detection, Machine Learning based Anomaly Detection

Documents: Mitigating Injection attacks: A focused case study on Reflected XSS

FortiWeb: Validating uploaded files to prevent potential injections

Security risks involved: Remote File Inclusion (RFI), Local File Inclusion (LFI), Malware Distribution.

FortiWeb's features: File Security, FortiSandbox, Web Shell detection.

Documents: Validating uploaded files to prevent potential injections

FortiWeb: Implementing HTTP security headers to prevent potential injections

Security risks involved: Clickjacking, MIME content-sniffing, Cross-Site Scripting (XSS)

FortiWeb's features: HTTP Header Security

Documents: Implementing HTTP security headers to prevent potential injections

FortiWeb: Validating HTTP headers to prevent potential injections

Security risks involved: Host Header Injection, HTTP Response Splitting:

FortiWeb's features: HTTP Protocol Constraints

Documents: Validating HTTP headers to prevent potential injections

FortiWeb: Validating user input to prevent potential injections

Security risks involved: User input manipulation

FortiWeb's features: Input Validation, Signature based SQL/XSS Injection Detection, SQL/XSS Syntax-based detection, Machine Learning based Anomaly Detection

Documents: Validating user input to prevent potential injections

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

OWASP Top 10 use case videos

OWASP Top 10 use case videos

OWASP Top 10 use case videos

OWASP Top 10 use case videos